Re: Tutorial - Install OpenVPN on Ubuntu 10.04

Does anybody know what's the best way to prevent private keys copy to another system? I have tried encfs and openssl commands, but I can't use them as we start the OpenVPN client as a server.

Protect them from whom exactly? Anyone with root privileges can copy those files, so the question you ask is really a question about access to the machine itself. If there are people who have physical access to the machine, and know how to reboot the machine into "recovery mode," all your keys can be copied. If someone has root or sudo privileges on the machine, that person can walk off with all the keys. If you can't trust the people who have root on the machine, then all bets are off in terms of security.

I make sure all the keys have 600 permissions so they are only readable by the root user. If you place the keys in a directory like I do (/etc/openvpn/keys), then that directory needs to have 0700 permissions. All the keys and associated directories should be owned by root:root.

Re: Tutorial - Install OpenVPN on Ubuntu 10.04

Well, I was thinking in the case a "bad" user picks the client hard disk, and tries to read the information from another computer, via USB or installing it on the other computer. I'd like to prevent this user to copy the keys so that he/she can use them on another machine.

I'm working on a project where we will deploy several computers with OpenVPN connection to a central server and I want to be sure nobody else can access that server.

Re: Tutorial - Install OpenVPN on Ubuntu 10.04

Then make sure it's in a locked facility and don't give anyone sudo or root privileges but yourself. Also apply the restricted permissions on the key files I described above.

Knowledgeable users with physical access can do anything once they gain root. Rebooting into "recovery mode" is one such method, so you need to insure no one can sit at the keyboard but you. Adding a BIOS password can help protect against this method of attack as can locking the server case. Nearly any full-fledged server will come with a case lock.

As for enforcing client security, it appears that OpenVPN has some mechanisms for permitting connections only from specified MAC addresses. That would provide some protection against stealing the keys and connecting from somewhere else. Also you can restrict inbound connections so they can come only from specified client IP addresses. I do that via iptables, but there are also mechanisms to restrict connections by IP in the OpenVPN configuration as well.

Re: Tutorial - Install OpenVPN on Ubuntu 10.04

I'm not an expert on encryption strategies, but it looks like that is the proper solution to your problem. If you can do full disk encryption via truecrypt or encrypt the sensitive folder using another EncFS, then even if someone pulls the drive they can't access the data.

This problem may be beyond the scope of this thread at this point, since it deals more with securing data on the drive rather than VPN issues.

b. In ordinary user mode, register for VPN service and download .ovpn file, save securely. At this point you could use the 'Import' feature in the VPN connections tab but that doesn't work in 10.04 (at least with the file I had)

c. Open the file (say client.ovpn) and extract the following sections and save as separate files:

File 1: ca.cert: All the text between the <ca> </ca> tags i.e. somthing like this

Re: Tutorial - Install OpenVPN on Ubuntu 10.04

Zenguy I just want to say thanks for the excellent guide. I've been working steadily for about three days on ironing out the issues for creating a bridged VPN server on Precise. You have my appreciation for cranking out this guide.